A Digital Age Deserves A Digital Leader

W32.Welchia.Worm removes Blaster

W32.Welchia.Worm removes Blaster

Postby augie » Mon Aug 18, 2003 11:30 pm

W32.Welchia.Worm is a worm that exploits multiple vulnerabilities:

exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit.

exploits the WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit.

The worm attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.

The worm checks for active machines to infect by sending an ICMP echo, or PING, which will results in increased ICMP traffic.

The worm will also attempt to remove W32.Blaster.Worm.

Also Known As: W32/Welchia.worm10240 [AhnLab], W32/Nachi.worm [McAfee], WORM_MSBLAST.D [Trend], Lovsan.D [F-Secure]

Type: Worm
Infection Length: 10,240 bytes



Systems Affected: Windows 2000, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX
CVE References: CAN-2003-0109, CAN-2003-0352

Source: Symantec

#beer
Last edited by augie on Wed Sep 17, 2003 8:11 pm, edited 1 time in total.
Community Director
User avatar
Posts: 7870
Joined: Mon Aug 26, 2002 1:55 am
Location: Laurentians, Quebec

Postby journeys » Wed Sep 17, 2003 5:45 am

is there any way of removing the worm when infected? it seems i picked it up from microsoft when downloading a critical update.
PRO Level 2
Posts: 14
Joined: Fri Mar 15, 2002 1:49 pm
Location: Canada

Postby augie » Wed Sep 17, 2003 7:55 am

You were just unlucky that you got infected while at Microsoft, not their fault. Here's a fix for you. Also, excuse my flippant remark on my original post. :embarrassed:

Get back to us to see if it worked. :yesnod:
Community Director
User avatar
Posts: 7870
Joined: Mon Aug 26, 2002 1:55 am
Location: Laurentians, Quebec

Postby journeys » Wed Sep 17, 2003 4:35 pm

thanks augie, for the link. The fix did the job, no more virus found.
Just a shame that i picked it up at microsoft d/l a critical update!

^*^
PRO Level 2
Posts: 14
Joined: Fri Mar 15, 2002 1:49 pm
Location: Canada

Postby augie » Wed Sep 17, 2003 5:10 pm

Great ^*^
Community Director
User avatar
Posts: 7870
Joined: Mon Aug 26, 2002 1:55 am
Location: Laurentians, Quebec

Postby *Starz* » Wed Sep 17, 2003 7:16 pm

journeys wrote:Just a shame that i picked it up at microsoft d/l a critical update!

LOL...in spite of the situation with MS and yourself...it is kind of ironic...isn't it... :roleeyes
PRO Level 16
User avatar
Posts: 1893
Joined: Sat Aug 17, 2002 1:05 am
Location: Great Smoky Mountains

Postby RIP! » Wed Sep 17, 2003 7:45 pm

hehehe
RIP!

Postby augie » Wed Sep 17, 2003 8:10 pm

I think I'll edit my header, welchia is as bad as Blaster for tyeing up internet resources.
Community Director
User avatar
Posts: 7870
Joined: Mon Aug 26, 2002 1:55 am
Location: Laurentians, Quebec

Postby Dalsim » Thu Sep 18, 2003 3:35 am

Tell me about it. We got hit by it at work, and about 70% of our 326 machines that run xp were infected. So you can see what it would have done to the bandwidth. We had switchs freezing everywhere and Telstra disconnected us due to the amount of traffic we were producing. Took us a week to clear the problem up.
"Life is merely a fraction of a second. An infinitely small amount of time to fulfill our desires, our dreams, our passions." Paul Gauguin (1848 - 1904)
AEST
PROfessional Member
Posts: 1119
Joined: Sun Jun 15, 2003 7:07 am
Location: Queensland, Australia

Return to Security & Virus

Who is online

Users browsing this forum: No registered users and 7 guests

cron
cron